An update for squid34 is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

The "squid34" packages provide version 3.4 of Squid, a high-performanceproxy caching server for web clients, supporting FTP, Gopher, and HTTP dataobjects. Note that apart from "squid34", this version of Red Hat EnterpriseLinux also includes the "squid" packages which provide Squid version 3.1.

Security Fix(es):

* A buffer overflow flaw was found in the way the Squid cachemgr.cgiutility processed remotely relayed Squid input. When the CGI interfaceutility is used, a remote attacker could possibly use this flaw to executearbitrary code. (CVE-2016-4051)

* Buffer overflow and input validation flaws were found in the way Squidprocessed ESI responses. If Squid was used as a reverse proxy, or forTLS/HTTPS interception, a remote attacker able to control ESI components onan HTTP server could use these flaws to crash Squid, disclose parts of thestack memory, or possibly execute arbitrary code as the user running Squid.(CVE-2016-4052, CVE-2016-4053, CVE-2016-4054)

* An input validation flaw was found in the way Squid handled interceptedHTTP Request messages. An attacker could use this flaw to bypass theprotection against issues related to CVE-2009-0801, and perform cachepoisoning attacks on Squid. (CVE-2016-4553)

* An input validation flaw was found in Squid's mime_get_header_field()function, which is used to search for headers within HTTP requests. Anattacker could send an HTTP request from the client side with speciallycrafted header Host header that bypasses same-origin security protections,causing Squid operating as interception or reverse-proxy to contact thewrong origin server. It could also be used for cache poisoning for clientnot following RFC 7230. (CVE-2016-4554)

* A NULL pointer dereference flaw was found in the way Squid processes ESIresponses. If Squid was used as a reverse proxy or for TLS/HTTPSinterception, a malicious server could use this flaw to crash the Squidworker process. (CVE-2016-4555)

* An incorrect reference counting flaw was found in the way Squid processesESI responses. If Squid is configured as reverse-proxy, for TLS/HTTPSinterception, an attacker controlling a server accessed by Squid, couldcrash the squid worker, causing a Denial of Service attack. (CVE-2016-4556)

4. Solution:

For details on how to apply this update, which includes the changesdescribed in this advisory, refer to: